Description of problem:
Network tag has option domain with optional localOnly parameter. This parameter ensures under given domain name, no other names would be forwarded to upstream dns servers.

However, this feature is not simple enough to take advantage. dnsmasq is great it handles all names inside. But any such domain cannot be simply delegated from outside name servers. Dnsmasq has option to act as authoritative server for given domain. I would like to use dnsmasq authoritative, so it does return NXDOMAIN for names that do not exist without query to upstream. At the same time, it would


Version-Release number of selected component (if applicable):
libvirt-4.7.0-1.fc29.x86_64

How reproducible:
always

Steps to Reproduce:
1. virsh net-edit default
<network>
...
<domain name='vm' localOnly='yes'/>
...
2. dig @192.168.122.1 -t SOA -q vm
3. dig +norec @192.168.122.1 nonexistent.vm

Actual results:
# 2.
; <<>> DiG 9.11.6-RedHat-9.11.6-2.fc29 <<>> +norec @vhost-ns.vm -t SOA -q vm
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20970
;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vm.				IN	SOA

# 3.
; <<>> DiG 9.11.6-RedHat-9.11.6-2.fc29 <<>> +norec @vhost-ns.vm -t A nonexistent.vm
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53947
;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nonexistent.vm.			IN	A


Expected results:
dig -p 8153 @localhost -t SOA vm

# 2.
; <<>> DiG 9.11.6-RedHat-9.11.6-2.fc29 <<>> -p 8153 @localhost -t SOA vm
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60467
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vm.				IN	SOA

;; ANSWER SECTION:
vm.			600	IN	SOA	. . 1 1200 180 1209600 600

;; AUTHORITY SECTION:
vm.			600	IN	NS	.
vm.			600	IN	NS	vm.

# 3.
; <<>> DiG 9.11.6-RedHat-9.11.6-2.fc29 <<>> +norec -p 8153 @localhost -t A nonexistent.vm
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62707
;; flags: qr ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nonexistent.vm.			IN	A


Additional info:

Dnsmasq has option auth-zone=<domain>, which I think should be possible to use. If hosts are in such zones, non recursive queries will not fail. Also, dnsmasq would think he is authoritative and return NXDOMAIN on unknown names directly.

But I think the biggest advantage is simplicity of forwarding subdomain to dnsmasq. If there is normal recursive server on local network, that allows modification of some records, just a modification of dns zone would allow all such names to be available on whole network.

Example:
<domain localOnly=yes authoritative=yes>pemensik.vm</domain>

Then into vm.db zone, lets say provided by BIND, i would have to add just:

pemensik.vm. IN NS pemensik-libvirt.vm
pemensik-libvirt IN A 10.1.2.28

pemensik-libvirt is IP of libvirt interface on my computer, where I allowed access in firewall. Now anyone can use name machine1.pemensik.vm in local network and access my computer. Great think it can use just nsupdate tool from DHCP to configure always different names. It would scale quite well.

Unfortunately recent dnsmasq does not respond to queries with +norec at all, always returns REFUSED. It would not return such reply in authoritative mode, but I think it is not possible to enable it from libvirt.

Is there workaround to add dnsmasq specific options from virsh net-edit?